man: don't suggest using pam_unix.so's use_authtok switch

Our dumbed down example PAM stacks do not contain cracklib/pwq modules, hence using use_authtok on the pam_unix.so password change stack won't work, because it has the effect that pam_unix.so never asks for a password on its own, expecting the cracklib/pwq modules to have queried/validated them beforehand. I noticed this issue because of #30969: Debian's PAM setup suffers by the same issue – even though they don't actually use our suggested PAM fragments at all. See: #30969
2024-06-29 06:34:30 +00:00 · 2024-01-17 23:41:14 +01:00 · 2024-01-17 23:41:14 +01:00 · 75f8b0fe70
commit 75f8b0fe70
parent b9e2d83b75
3 changed files with 3 additions and 4 deletions
--- a/factory/etc/pam.d/system-auth
+++ b/factory/etc/pam.d/system-auth
@ -13,7 +13,7 @@ account   sufficient pam_unix.so
 account   required   pam_permit.so

 -password sufficient pam_systemd_home.so
-password  sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
+password  sufficient pam_unix.so sha512 shadow try_first_pass
 password  required   pam_deny.so

 -session  optional   pam_keyinit.so revoke
--- a/man/pam_systemd.xml
+++ b/man/pam_systemd.xml
@ -411,8 +411,7 @@ account   sufficient pam_unix.so
 account   required   pam_permit.so

 -password sufficient pam_systemd_home.so
-password  sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
-
+password  sufficient pam_unix.so sha512 shadow try_first_pass
 password  required   pam_deny.so

 -session  optional   pam_keyinit.so revoke
--- a/man/pam_systemd_home.xml
+++ b/man/pam_systemd_home.xml
@ -158,7 +158,7 @@ account   sufficient pam_unix.so
 account   required   pam_permit.so

 <command>-password sufficient pam_systemd_home.so</command>
-password  sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
+password  sufficient pam_unix.so sha512 shadow try_first_pass
 password  required   pam_deny.so

 -session  optional   pam_keyinit.so revoke